ccna discovery 4.0 designing and supporting computer networks

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicITE PC v4.0Chapter 1 1

CCNA Discovery 4.0Designing and Supporting Computer Networks

Introducing Network Design Concepts– Chapter 1

ITE PC v4.0Chapter 1 2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

INTRODUCTION

Swelling user populations have catapulted scalability to the top of criteria for Business Intelligence solutions…Employees in every department and division are accountable for profitability, managers at every level are accountable for operational execution, and executives are accountable for strategy and regulatory compliance. As a result, IT is being held accountable for providing a scalable, cost-effective infrastructure to access and integrate data from a wide range of sources, generate insightful information, and deliver that information inside and outside the enterprise to every stakeholder responsible for managing business performance.


INTRODUCTION


Objectives


Network Design Overview

Network Requirements•around-the-clock customer service•business networks must be available nearly 100 percent of the time

Building a Good Network•result of hard work by network designers and technicians


Network Design OverviewNetwork Requirements

•Should stay up all the time•Reliably deliver applications and provide reasonable response times from any host to any host•Secure - protect the data that is transmitted over it, as well as data stored on the devices that connect to it •Easy to modify to adapt to network growth and general business changes•Finding and fixing a problem should not be too time-consuming


The benefits of Hierarchical Network Design

Hierarchical Network Design

Used to group devices into multiple networksorganized in a layered approach

Three basic layers:

Core Layer - Connects Distribution Layer devices

Distribution Layer - Interconnects the smaller local networks

Access Layer - Provides connectivity for network hosts and end devices


Network Design Overview



Enterprise Campus - This area contains the network elements required for independent operation within a single campus or branch location.

Server Farm - A component of the enterprise campus, the data center server farm protects the server resources and provides redundant, reliable high-speed connectivity.

Enterprise Edge - As traffic comes into the campus network, this area filters traffic from the external resources and routes it into the enterprise network.


Network Design MethodologiesLarge network design projects are normally divided into three distinct steps:

Step 1: Identify the network requirements.

Step 2: Characterize the existing network.

Step 3: Design the network topology and solutions


Network Design MethodologiesCommon strategy

top-down approach - network applications and service requirements are identified & then the network is designed to support them

when the design is complete, a prototype or proof-of-concept test is performed = ensures that the new design functions as expected before it is implemented.


Network Design Methodologies

Impacting the Entire Network

Network requirements that impact the entire network include:

– Adding new network applications and making major changes to existing applications, such as database or DNS structure changes

– Improving the efficiency of network addressing or routing protocol changes

– Integrating new security measures

– Adding new network services, such as voice traffic, content networking, and storage networking

– Relocating servers to a data center server farm


Network Design Methodologies

Impacting a Portion of the Network

Requirements that may only affect a portion of the network include:

– Improving Internet connectivity and adding bandwidth

– Updating Access Layer LAN cabling

– Providing redundancy for key services

– Supporting wireless access in defined areas

– Upgrading WAN bandwidth


What happens at the Core Layer?Core Layer = network backbone

Routers and switches at the Core Layer provide high-speed connectivity

May connect multiple buildings or multiple sites, as well as provide connectivity to the server farm

Support Internet, Virtual Private Networks (VPNs), extranet, and WAN access


What happens at the Core Layer?

Goals of the Core Layer–Provide 100% uptime

–Maximize throughput

–Facilitate network growth



Core Layer Technologies:–Routers or multilayer switches that combine routing and switching in the same device

–Redundancy and load balancing

–High-speed and aggregate links

–Routing protocols that scale well and converge quickly, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) protocol


Network Traffic Prioritization

• Network Designers

• strive to provide a network that is resistant to failures and can recover quickly in the event of a failure



Redundant components

Costly but worth the investment

Core layer devices

hot-swappable components - reduces repair time and disruption to network services

Generators and large UPS devices - prevent minor power outages from causing large-scale network failures



Reducing Human Error

failures are the result of poorly planned, untested updates or additions of new equipment

never make a configuration change on a production network without first testing it in a lab environment!

failures at the Core Layer cause widespread outages – plan a back-out strategy to return the network to its previous state if changes are not successful


Network Convergence

Network convergence = all routers have complete and accurate information about the network.

•faster the convergence time, the quicker a network can react to a change in topology. •Factors:

• routing update speed • calculation time for best paths


Network Convergence

• Dependent on Routing Protocol

• Static links and dynamic links

• PT 1.2.3.2 – Observing Network Convergence


What happens at the Distribution Layer? routing boundary

between the Access Layer and the Core Layer

serves as a connection point between remote sites and the Core Layer

built using Layer 3 devices - routers or multilayer switches, provide many functions that are critical for meeting the goals of the network design


What happens at the Distribution Layer?

Filtering and managing traffic flows

Enforcing access control policies

Summarizing routes before advertising the routes to the Core

Isolating the Core from Access Layer failures or disruptions

Routing between Access Layer VLANs


What happens at the Distribution Layer?

Trunk links are often configured between Access and Distribution Layer networking devices.

Redundant links exist between devices in the Distribution Layer, the devices can be configured to load balance the traffic across the links.

Distribution Layer networks are usually wired in a partial mesh topology. (provides enough redundant paths to ensure that the network can survive a link or device failure)


Limiting the scope of network failures


Limiting the scope of network failures

Switch Block - Routers, or multilayer switches, are usually deployed in pairs, with Access Layer switches evenly divided between them.

Each switch block acts independently of the others.

The failure of a single device does not cause the network to go down. Even the failure of an entire switch block does not impact a significant number of end users.


Building a redundant Network

Redundancy at the Distribution Layer

Providing multiple connections to Layer 2 switches can keep the network from failing

STP (Spanning Tree Protocol) guarantees that only one path is active between two devices.



STP guarantees that only one path is active between two devices

If one of the links fails, the switch recalculates the spanning tree topology and automatically begins using the alternate link

Rapid Spanning Tree Protocol (RSTP), provides rapid convergence of the spanning tree



A high volume, enterprise server is connected to a switch port

STP could cause the server to be down for 50 seconds

A faulty power supply causes the device to reboot unexpectedly - BAD


Traffic Filtering at Distribution Layer

The router examines each packet and then either forwards or discards it, based on the conditions specified in an Acces Control List (ACL)

Standard ACLs filter traffic based on the source address

Extended ACLs can filter based on multiple criteria including:–Source address

–Destination address

–Protocols

–Port numbers or applications

–Whether the packet is part of an established TCP stream



Complex ACLs– Dynamic ACL

• requires a user to use Telnet to connect to the router and authenticate

• referred to as "lock and key" because the user is required to login in order to obtain access.

– Reflexive ACL

• allows outbound traffic and then limits inbound traffic to only responses to those permitted requests.

– Time-based ACL

• permits and denies specified traffic based on the time of day or day of the week.


Standard Access-Lists

Activity – 1.3.4.2


Standard Access-Lists Activity – 1.3.4.2


Routing Protocols at the Distribution Layer

Route Summarization

One route in the routing table that represents many other routes, creating smaller routing tables

Less routing update traffic on the network

Lower overhead on the router


Routing Protocols at the Distribution Layer

Activity 1.3.5.2 - SUMMARIZATION


What happens at the access layer?

Access Layer

Uses Layer 2 switching technology to provide access into the network.

Access through a permanent wired infrastructure or through wireless access points


What happens at the access layer?

Wiring Closets

actual closets or small telecommunication rooms that act as the termination point for infrastructure cabling within buildings or within floors of a building


What happens at the access layer? Many different devices can connect to an IP network,

including:– IP telephones

– Video cameras

– Video conferencing systems


What happens at the access layer? Access Layer management is crucial due to:

– increase in the number and types of devices connecting at the Access Layer

– introduction of wireless access points into the LAN

– designing for manageability

In addition to providing basic connectivity at the Access Layer, the designer needs to consider:

– Naming structures

– VLAN architecture

– Traffic patterns

– Prioritization strategies


Network Topologies at Access Layer

The disadvantages of a star topology are significant:

– The central device represents a single point of failure.

– The capabilities of the central device can limit overall performance for access to the network

– The topology does not recover in the event of a failure when there are no redundant links

Ethernet star topologies usually have a combination of the following wiring:

– Twisted pair wiring to connect to the individual end devices

– Fiber to interconnect the access switches to the Distribution Layer devices


How VLANs Segregate Traffic?

Using VLANs and IP subnets is the most common method for segregating user groups and traffic within the Access Layer network

VLANs are used to separate and classify traffic streams and to control broadcast traffic within a single wiring closet or building


How VLANs Segregate and Control Network Traffic?

Without VLAN


How VLANs Segregate and Control Network Traffic?

With VLAN


Services at the Network Edge

Quality of Service

•Networks must provide secure, predictable, measurable and, at times, guaranteed services

•Networks also need mechanisms to control congestion when traffic increases

•Congestion is caused when the demand on the network resources exceeds the available capacity


Services at the Network Edge


Security at the Network Edge

Security Risks at the Access Layer



How Can the Network Designer Improve Security?– Permitting network access to only known or authenticated

devices

– Apply wireless security measures that follow recommended practices.

– Locking wiring closets and restricting access to networking devices (physical security)

– Cameras or motion detection devices and alarms.



Hands-on Lab 1.4.5.2 – Identifying Network Vulnerabilities


Security Measures

Securing Access Layer Networking Devices– Setting strong passwords

– Using SSH to administer devices

– Disabling unused ports

– Switch port security and network access control can ensure that only known and trusted devices have access to the network


Security Measures

Hands-on Lab 1.4.6.2 – Gaining Physical Access to the Network

Hands-on Lab 1.4.6.3 – Implementing Switch Port Security


What is a server farm?

Server farms are typically located in computer rooms and data centers (email, web, etc.)

Network traffic enters and leaves the server farm at a defined point ( easier to secure, filter, and prioritize traffic)

Redundant, high-capacity links can be installed to the servers as well as between the server farm network and the main LAN

Load balancing and failover can be provided between servers and between networking devices


PT Activity 1.5.1.2 – Observing and Recording Server Traffic


Security, Firewalls and DMZs

Protecting Server Farms Against Attack

– Firewalls

– LAN switch security features

– Host-based and network-based intrusion detection and prevention systems

– Load balancers

– Network analysis and management devices



Demilitarized Zones

In the traditional network firewall design, servers that needed to be accessed from external networks were located on a demilitarized zone (DMZ)

Users accessing these servers from the Internet or other untrusted external networks were prevented from seeing resources located on the internal LAN



Protecting Against Internal Attacks

Attacks originating on the internal network are now more common than attacks from external sources

A layer of firewall features and intrusion protection is required between the servers and the internal networks, as well as between the servers and the external users


Providing High Availability

A highly available network is one that eliminates or reduces the potential impact of failures.

This enables the network to meet requirements for access to applications, systems, and data from anywhere, at any time.



Building in Redundancy

To achieve high availability, servers are redundantly connected to two separate switches at the Access Layer

This redundancy provides a path from the server to the secondary switch if the primary switch fails



Virtualization

Many separate logical servers can be located on one physical server

The physical server uses an operating system specifically designed to support multiple virtual images


Considerations unique to WLAN Will wireless roaming be required?

What authentication for users is needed?

Will open access (hotspots) be provided for the guests?

Which network services and applications are available to wireless users?

What encryption technique can be used?

Are wireless IP telephones planned?

Which coverage areas need to be supported?

How many users are in each coverage area?


Considerations unique to WLAN



Physical Network Design

Focuses on the physical coverage areas of the network.

The network designer conducts a site survey to determine the coverage areas for the network and to find the optimum locations for mounting wireless Access Points



Logical Network Design

Provide different levels of access to different types of wireless users. In addition, wireless networks must be both easy to use and secure.

– Open wireless access for their visitors and vendors

– Secured wireless access for their mobile employees

– Reliable connectivity for wireless IP phones



Open Guest Access

Typically is not Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) encrypted.

To help guest users connect to the network, the Access Point service set identifier (SSID) is broadcast.

Many hotspot guest systems use DHCP and a logging server to register and record wireless use.

Guest users typically access the wireless network by opening a browser window and agreeing to a specified usage policy.



Secured Employee Access

Use an entirely separate WLAN infrastructure that does not include guest access. The recommended practice is to separate the internal users on a different VLAN.

– Non-broadcast SSID

– Strong encryption

– User authentication

– Virtual Private Network (VPN) tunneling for sensitive data

– Firewall and intrusion prevention

– MAC address filtering can be used to limit access.


Design Considerations at enterprise edge

Cost of Bandwidth

QoS (managing the queuing of data)

Security

Remote Access


Integrating Remote sites into the network Design Leased lines

Circuit-switched networks

Packet-switched networks, such as Frame Relay networks

Cell-switched networks such as Asynchronous Transfer Mode (ATM) networks


Integrating Remote sites into the network Design

Remote workers

Mobile workers

Branch employees

Virtual Private Networks


Redundancy and backup links

Redundancy is required on WAN links and is vitally important to ensure reliable connectivity to remote sites and users.

For a WAN, backup links provide the required redundancy. Backup links often use different technologies than the primary connection. This method ensures that if a failure occurs in one system, it does not necessarily affect the backup system.


Redundancy and backup links

Load Sharing

In addition to providing a backup strategy, redundant WAN connections can provide additional bandwidth through load sharing. The backup link can be configured to provide additional bandwidth all of the time or during peak traffic time only.


CCNA Discovery 4.0Designing and Supporting Computer

Networks

Introducing Network Design Concepts– Chapter 1

ccna discovery 4.0 designing and supporting computer networks

Documents